Roadmap: integration into `pip` as `pip audit` subcommand

[di]

This issue describes a potential roadmap for the integration of pip-audit into pip as a pip audit subcommand, as well as potential blockers.

This top-level comment will be edited as the roadmap is updated and progresses. Comments to this issue will describe progress on the roadmap for subscribers.

• [x] Transfer this project to the PyPA
• [ ] pip supports a vulnerability API that isn't the legacy JSON API
  • [x] initial support in pip for PEP 691: https://github.com/pypa/pip/pull/11158
  • [ ] new PEP to describe additional vulnerability fields for PEP 691
• [ ] pip-audit supports PEP 691 + future PEP instead of legacy JSON API for PyPI
• [ ] pip-api needs to support being vendored by pip and using internal pip API instead of CLI
  • [ ] https://github.com/di/pip-api/pull/138/
• [ ] pip-audit needs to support being vendored by pip and 'mounted' as a subcommand
  • [ ] audit all our sub-dependencies and determine if we will introduce any new pip sub-dependencies, or if that can be avoided
  • [ ] a method to minimally restrict what parts of our command API are available via pip audit, which would allow us to slowly introduce existing pip-audit features into pip audit rather than all at once.
  • [ ] similar to the above: features that should not be part of the pip integration need to be marked and gated during vendoring, e.g. our current CycloneDX SBOM support
• [ ] pip-audit and necessary dependencies are vendored into pip
• [ ] new release of pip with support for pip audit

I think the core functionality we'll want to support is:

• Auditing the local environment: pip audit
• Auditing a requirements file: pip audit -r <filename>
• Auditing a source tree for a Python project: pip audit .
• Output in formats that pip currently supports (e.g. JSON, text/columns)

Things that pip-audit supports that pip audit may want to support eventually but don't need to be included in the initial release:

• Automated fixing/remediation (--fix)
• Output in formats that pip doesn't currently support (e.g. SBOM format)

Things that pip-audit supports that pip will likely never support:

• Support for non-PEP 691 compliant APIs (e.g. legacy JSON, OSV)

[woodruffw]

Added another sub-item to the "needs to support being vendored by pip" task to reflect that we need to completely "fuse off" some functionality, but otherwise this roadmap LGTM!